Wednesday 30 August 2017

ICS-CERT Issues Warning of CAN Bus Vulnerability

The US ICS-CERT issued an alert in response to a public report of a vulnerability in the Controller Area Network BUS (CAN BUS).

By Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
On Friday (28th of July), the Industrial Controls Systems Cyber Emergency Team or ICS-CERT, issued an alert in response to a public report of a vulnerability in the Controller Area Network (CAN), Bus standard.
The vulnerability detailed in the alert is a stealth Denial of Service attack that requires physical access to the CAN, and an attacker with extensive knowledge of how to reverse engineer the traffic. This ultimately results in the disruption of the availability of arbitrary functions of the target device.

The public report that is referenced in the ICS-CERT alert is from a group of Italian security researchers from Politecnico di Milano (the largest technical university in Italy), in their report the researchers detail how “modern vehicles incorporate tens of electrical control units (ECU’s) , driven by, according to estimates, as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based upon the CAN bus standard…”.

The report presents how the denial-of-service attack against the CAN bus standard is harder to detect, because it exploits the design of the CAN protocol at a low level. This allows an attacker to target malfunctions in safety-critical components or disable vehicle functionalities such as power steering or airbags for example.

The attack exploits the weakness in the CAN protocol, working between the physical and data link layers of the OSI stack without requiring any message sending capability to the attacker.
It is important to note that the research conducted in the report concluded that this attack is completely undiscoverable without a major restructure of the CAN bus networks, which is widely adopted in automotive, manufacturing, building automation, and hospitals.
A full proof of concept of the CAN denial-of-service was posted on Github, the project titled “A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks” proves the attack detailed in the paper released by Politecnico di Milano. The attack was delivered against a Alfa Romeo Giulietta using a Arduino Uno Rev 3 to disable the parking sensor module (identifier 06314018) on CAN B operating at 29 bit / 50 kbps.


In summary, this exploit focuses on recessive and dominate bits to cause malfunctions in CAN nodes rather than complete frames, which have been found in previously reported attacks which can be detected by IDS/IPS systems unlike this attack.

Because of how the denial of service attack exploits the design of the CAN protocol, and how easily an input port (typically ODB-II), can be accessed by a potential attacker the recommendation from ICS-CERT is to limit access to these input ports. They are also working with the automotive industry and other industries to strategize mitigation plans.

Finally, given how widely CAN bus is adopted by the automotive, healthcare, and manufacturing industries this further highlights how singular weaknesses in a secure environment can compromise the network as a whole.

Thursday 24 August 2017

Critical Vulnerabilities Discovered in Radiation Monitoring Devices (RDMs) at Power Plants and Airports

Experts discovered flaws in widely deployed Radiation Monitoring Devices (RDMs) that could be triggered to raise false alarms and worse.

By Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
Previously published on 28th July 2017

This week at Black Hat in Las Vegas, researchers at information security firm IO Active, disclosed their findings on radiation monitoring devices from Ludum, Mirion, and Digi that were found to contain multiple unpatched vulnerabilities.


These vulnerabilities would allow an attacker to disrupt, delay, or obfuscate the detection of radioactive material, including leaks, which could lead to either risk of personal safety levels being impacted, or potentially aid smuggling of radioactive materials at airport/ports.
The findings from the report focus on the following:
  • Ludlum
    • 53 Gamma Personnel Portal Monitor
    • Gate Monitor Model 4525
  • Mirion
    • WRM2 Transmitters
  • Digi
    • XBee-PRO XSC 900
    • Xbee S3B (OEM)
Some of the vulnerabilities highlighted include hard-coded passwords with the highest level of privileges, this particular vulnerability was identified by reverse engineering the publicly available binaries of the Ludlum 53 Gamma Personal Portal- which detects gamma radiation in or on personnel passing through the portal from either direction:

Because of this “backdoor”, the authentication of the system can be effectively bypassed by a malicious actor to take control of the device, and according to the research paper would allow an attacker to disable it preventing RPM from triggering the appropriate alarms.

Additionally, the Ludlum Gate Monitor 4525 which is used to detect radioactive material in lorries cargo at ports, had a series of major configuration and security weaknesses, that would enable an attacker to conduct a MiTM (man-in-the-middle), attack.

According to the report, the Gate Monitor used protocols such as Port 20034/UDP and Port 23/TCP which does not deploy any encryption, effectively allowing an attacker to intercept/drop packets and falsify information or disable alarms.

With both of these vulnerabilities, an attacker would need to have compromised the WLAN, or devices connected to it, therefore using those machines to pivot to the Gate Monitor.
What about nuclear power plants?

The report also covered this with findings in both Digi firmware and Mirion’s devices. The researcher at IO Active Ruben Santamarta tested the software and firmware for the Mirion radiation monitoring devices that detect medium to long range radioactive levels at NPP (Nuclear Power Plants).

The WRM2 Devices software is written in .Net and Java, and uses the OEM XBee S3B wireless transceivers. The WRM2 software was reverse engineered by IO Active to reveal the encryption algorithm used to encrypt the firmware files (in the XCS-Pro and S3B-XSC), essentially allowing an attacker to modify or create a modified firmware.

This would allow an attacker to bypass the XBee’s AT Command handles and bypass OEM Network ID Read only protection, and transmit or receive from any XBee network.

In this scenario, attackers could intercept data or transmit false data to NPP systems either creating a falsified reading of a Radiation leak or create a Denial of Service attack, by interfering with the frames being sent to the WRM2 compatible devices.

The Vendors were all contacted under a responsible disclosure policy via ICS-CERT or directly:
Ludlum acknowledged the report but refused to address the issues, due to the devices being located at secure facilities. Mirion also acknowledges the report but cited that patching would effectively break the systems but is working collaboratively with Digi to address the issues.

In summary, this report further highlights the risks that third party components can introduce to high-risk targets such as nuclear power plants. With recent reports in the US of such assets being targeted and breached, this is an area that needs focus, not only from the organizations that are being targeted but also the technology providers who support Critical National Infrastructure.